2003 Server R2 - Network Connections Service fails after dcpromo

[MWave6@gmail.com]

Hello,

I've recently upgraded our Windows 2000 domain to Server 2003 R2.
adprep forestprep, domainprep, and gpprep steps have completed
properly. I have joined my Windows 2003 Server x64 system to our
domain successfully.

However, several reboots after joining the domain, the "Network
Connections" service will no longer start on this machine. I can't
start it manually, it times out with an error code of
1053. All network interfaces are gone from "My Network Places"
properties.

The domain is in 2000 native mode and we have no NT servers. I've also
followed many of the steps in MS KB825826 (http://
support.microsoft.com/kb/825826/) Does anyone have any suggestions?


Thanks,
Tom W.

[David Shen [MSFT]]

Hello Tom,

Thank you for posting in newsgroup.

According to the description, the issue is that "Network Connections"
service was no longer start on the Windows 2003 Server x64 system after you
add it into the newly upgraded Windows Server 2003 R2 domain. If I have any
misunderstanding, please feel free to let me know.

Based on the research, here is some information which may be helpful for
you.

Analysis and Suggestions:
===========================

According to the research, the "Network Connections" service depends on the
"Remote Procedure Call" service. I suspect that the issue may be caused by
the failure of the "Remote Procedure Call" service. To narrow down the root
cause of the issue, please change the logon account from "Local System
Account" to "Network/NT Authority" and then follow the steps to check if
the issue will re-occur.

1. Open Group Policy editor.

Go to Computer Configuration - Windows Settings - Local Policies - User
right Assignment- look for "Bypass traverse checking" Policy and add
"everyone" account.

2. Go to Windows - Registration folder - go to properties - Security tab -
add the following accounts with permissions.

a.Administrator - Full rights

b.System - Full rights

c.everyone - Read / Modify and List

Then click "APPLY" and go to "General" tab and click on the "Advance"
button. Here click the "Inheritance option" and finally click "OK"

3. Open regedit

a.go to "My Computer\HKEY_CLASSES_ROOT_\CLSID". Right click on it and
select "Permissions" and add "Authenticated Users" with "Full Permissions"

b.Go to "My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services".
Right click and select "Permissions" and add "Network Service" and "Local
Service" with "Full Permissions"

4.Finally go to "My
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs and set
the "ObjectName" to "NT Authority\NetworkService"

5.Reboot the promblematic server and check if the issue still exists.

Hope it helps.

Thanks for the co-operation.

David Shen
Microsoft Online Partner Support

[MWave6@gmail.com]

Hi David,

Thanks for your input.

I have looked over you steps and even attempted some of them. However,
I must inform you that the RPC service has started just fine and
"Everyone" already had some permissions to the Windows\Registration
folder. I bumped it up to Modify.

I can't perform this step (3b):

Go to "My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Services".
Right click and select "Permissions" and add "Network Service" and
"Local
Service" with "Full Permissions"


There is no "Network Service" or "NetworkService", even with FQ ("NT
Authority\Network Service").

Any advice or workaround strategy for this?


Thanks,
Tom W.

[David Shen [MSFT]]

Hi Tom,

Did you logon the problematic server with administrator credential to
change the permission of the registry sub tree?

David Shen
Microsoft Online Partner Support

[MWave6@gmail.com]

Hi David,

Well, I was logged on with the cached domain admin account. It's
possible that this is orphaned now that the DC cannot communicate out
to the domain.

I'll try the local admin account if it is still available.

Also, I found KB #309307 which describes our symptoms exactly.
However, the steps in here did not fix our problem.
http://support.microsoft.com/kb/307309/en-us

When I do ipconfig, adapter #1 has an APIPA (169.254.x.x) address.
Adapter #2 appears to be pulling an IP from our DHCP pool. However, no
communications are possible and no network icons appear in the list.


Thanks Again,
Tom W.


On Jul 16, 3:20 am, v-das...@online.microsoft.com (David Shen [MSFT])
wrote:
> Hi Tom,
>
> Did you logon the problematicserverwith administrator credential to
> change the permission of the registry sub tree?
>
> David Shen
> Microsoft Online Partner Support

[David Shen [MSFT]]

Hi Tom,

Thanks for your reply. According to the description and the symptom, there
are many possible causes for this issue, please follow the steps to check
if the issue will re-occur.

Steps:
========

1. Please Check if Network Connections service is listed

If the Network Connections service is missing - Verify the Registry entry
for the service is intact for Network Connection Service
(HKLM\SYSTEM\CCS\SERVICES\NETMAN)

If the Key is missing, please export the full key from another machine
merge it with problematic machine

In command prompt Type the following "regsvr32 netman.dll"

Reboot the machine

2 . Check if "Network Connections" Services is started

If the service is not started, please check if Remote Procedure Call (RPC)
Service is running with Network Service account, if yes Switch it to Local
System Account then reboot

If you would like to roll back the Account used by RPC to Network Service &
use Network Connections use the following steps (Retain the Account to
Local System Account during these steps)

Launch "Local Security Settings" and then Select "User Rights Assignment"

Edit "Impersonate a client after authentication"

Ensure "Administrators" & "Service" is listed along with other accounts

In case of a DC or Modifying this by Group Policy Edit "Default Domain
Policy"

Under Computer Configuration\Windows Settings\Security Settings\Local
Policies

Select "User Rights Assignment"

Edit "Impersonate a client after authentication"

Ensure "Administrators" & "Service" is listed along with other accounts

For more detailed information about troubleshooting the issue, you may
refer to the General troubleshooting methods in the following KB.

How to troubleshoot missing network connections icons in Windows Server
2003 and in Windows XP
http://support.microsoft.com/kb/825826/

Network and Dial-Up Connection Icons Disappear When You Use Dcomcnfg.exe to
Set the Default Impersonation Level to Anonymous
http://support.microsoft.com/kb/273461/

Troubleshooting missing network and dial-up connections icons
http://support.microsoft.com/kb/329050/

Due to the complexity of this issue we are unable to effectively assist
with this request in the newsgroups. If the issue still exists, I would
like to suggest that you contact Microsoft Product Support Services via
telephone so that a dedicated Support Professional can assist you.

To obtain the phone numbers for specific technology request please take a
look at the web site listed below.

http://support.microsoft.com/default...S;PHONENUMBERS

If you are outside the US please see http://support.microsoft.comfor
regional support phone numbers.

Hope the issue will be resolved soon.

David Shen
Microsoft Online Partner Support

[David Shen [MSFT]]

Hello Tom,

We wanted to see if the information provided was helpful. Please keep us
posted on your progress and let us know if you have any additional
questions or concerns.

We are looking forward to your response.

David Shen
Microsoft Online Partner Support

[David Shen [MSFT]]

Hi Tom,

How's everything going?

I'm wondering if the suggestion has helped or if you have any further
questions. Please feel free to respond to the newsgroups if I can assist
further.

David Shen
Microsoft Online Partner Support

[MWave6@gmail.com]

Hi David,

Thanks for following up.

In fact, the RPC service had been set to the "NT Authority" account.
After resetting it to Local Account, the service started fine and all
network connection objects are available again.

I had the same problem on a new BDC and the same action was the
solution. We'll be mindful of the impersonation steps in the future,
but after 2 weeks the service hasn't reverted to the old settings via
default domain group policy.

Looks like a success! Thanks for all of your help.


Tom W.


On Jul 24, 11:06 pm, v-das...@online.microsoft.com (David Shen [MSFT])
wrote:
> Hi Tom,
>
> How's everything going?
>
> I'm wondering if the suggestion has helped or if you have any further
> questions. Please feel free to respond to the newsgroups if I can assist
> further.
>
> David Shen
> Microsoft Online Partner Support

[David Shen [MSFT]]

Hi Tom,

I am glad that the suggestion is helpful to you. If you have any other
question, please welcome to the newsgroup again.

David Shen
Microsoft Online Partner Support

[MWave6@gmail.com]

Hi David,

Can you tell me what the recommended setting for this is? Is it
considered good security practice to leave the Network Connections
Service using "Local Account"? Or is it preffered to change both
services back to "NT Authority"?


Thanks,
Tom W.


On Aug 1, 1:58 am, v-das...@online.microsoft.com (David Shen [MSFT])
wrote:
> Hi Tom,
>
> I am glad that the suggestion is helpful to you. If you have any other
> question, please welcome to the newsgroup again.
>
> David Shen
> Microsoft Online Partner Support

[MWave6@gmail.com]

Hi Again,

Followup here:

When I attempt to remotely manage a new DC and view the event log, I
get "required impersonation level was not provided or the provided
impersonation level is invalid".

Suggestions?


Thanks,
Tom W.


On Sep 17, 8:55 pm, MWa...@gmail.com wrote:
> Hi David,
>
> Can you tell me what the recommended setting for this is? Is it
> considered good security practice to leave the Network Connections
> Service using "Local Account"? Or is it preffered to change both
> services back to "NT Authority"?
>
> Thanks,
> Tom W.
>
> On Aug 1, 1:58 am, v-das...@online.microsoft.com (David Shen [MSFT])
> wrote:
>
>
>
> > Hi Tom,
>
> > I am glad that the suggestion is helpful to you. If you have any other
> > question, please welcome to the newsgroup again.
>
> > David Shen
> > Microsoft Online Partner Support- Hide quoted text -
>
> - Show quoted text -

[David Shen [MSFT]]

Hi Tom,

For the network connection service, we recommend you keep the default
security setting for it. In other word, it is better to keep using the
"Local System Account" to startup the network connection service.

For the error message "required impersonation level was not provided or the
provided impersonation level is invalid", please refer to the
troubleshooting steps in the following Microsoft KB article to ensure the
user account has "Impersonate a client after authentication" right. By
default, Administrators, Local Services, Network Services and Service
account has this right . If the issue still exist, I would like to suggest
that you initial a new thread in the newsgroup.

Overview of the "Impersonate a Client After Authentication" and the "Create
Global Objects" Security Settings (821546.KB.EN-US.2.2)
http://support.microsoft.com/kb/821546

Hope it helps.

David Shen
Microsoft Online Partner Support

[David Shen [MSFT]]

Hi,

We wanted to see if the information provided was helpful. Please keep us
posted on your progress and let us know if you have any additional
questions or concerns.

David Shen
Microsoft Online Partner Support